Reading Time: ~3 min.

We’ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let’s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates.

Sample screenshot of the script identifying the client’s Flash Player version:


iFrame URL: –

Known to have responsed to the same IP ( are also the following malicious domains: – Email:

Sample detection rate for the malicious script: MD5: efcaac14b8eea9b3c42deffb42d59ac5 – detected by 30 out of 43 antivirus scanners as; Trojan:JS/Iframe.BS

The following malicious MD5s are also known to have been hosted on the same IP ( 7b3d9e48deac8d0b33f6fc4235361cbd 7b3d9e48deac8d0b33f6fc4235361cbd 7b3d9e48deac8d0b33f6fc4235361cbd ed5c71023a505bd82f5709bfb262e701 2e899f619c9582e79621912524a0bafb

Client-side exploits serving URL: –

Domain name reconnaissance: – known to have responded to the same IP is also

Detection rates for the dropped PDF exploits:
MD5: 77cd239509c0c5ca6f52c38a23b505f3 – detected by 3 out of 48 antivirus scanners as Heuristic.BehavesLike.PDF.Exploit-CRT.F; HEUR_PDFJS.STREM
MD5: 131e53c40efddfc58f5ac78c7854bc73 – detected by 3 out of 48 antivirus scanners as Exploit.Script.Heuristic-pdf.gutws; Heuristic.BehavesLike.PDF.Exploit-CRT.F

Both malicious PDF files exploit CVE-2010-0188 which also phone back to :

It gets even more interesting, taking into consideration the fact that the iFrame injected/embedded URL includes a secondary iFrame pointing to a, surprise, surprise, Traffic Exchange network. Not surprisingly, we also identified a related threat that is currently using the same infrastructure as the official Web site of the Traffic Exchange.


Secondary iFrame: –

Known to have responded to the same IP in the past are also the following malicious domains:

Which inevitably leads us to 961dba6cf73d24181634321e90323577 – detected by 13 out of 48 antivirus scanners as TROJ_GEN.R0CBOH0I713; Artemis!961DBA6CF73D.

Once executed, it phones back to – –

The following MD5s are also known to have phoned back to the same IP in the past:
MD5: c4fb386b785e8c337e378d2c318c18c7
MD5: db872312b12f089cc525068b8c67baaf
MD5: 5457197c011263db0820fc6b6788b45c
MD5: 217745fadde1d42cc31ba20b4eb601d3
MD5: ba11bb7704cc36ad55b22c00080b6d39
MD5: 70d821fa0b6bdf30221cce9e3ad40727
MD5: 12d1436481c6a19c05a12578249683b2

Moreover, is also directly related to, as it used to push fake browser updates, similar to the MD5s at and

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

Facebook Comments
Share This